May 17, 2011

Over 99% Of Android Phones Leaking Data

German security researchers have found that over 99 percent of Android phones are potentially leaking personal data.

The data being leaked is typically used to get at web-based services like Google Calendar.

University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Shaub made their discovery while watching how Android phones handle login credentials for web-based services.

Many applications interact with Google services by asking for an authentication token.

The researchers said these tokens are sent in plain text over wireless networks. This makes it an easy spot so criminals eavesdropping on the Wi-Fi traffic could find and steal them.

Criminals would be able to pose as a particular user and get their personal information when they obtain these tokens.

The team said tokens are not bound to particular phones or time of use, so they can be used to impersonate a handset almost anywhere.

"The adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user," the researchers wrote in a blog post explaining their findings.

"An adversary could change the stored e-mail address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business," the team wrote.

There is no indication that hackers are exploiting the Android loophole.

The team found almost all versions of the Android operating system were passing around unencrypted authentication tokens.

The researchers urged Android owners to update their device to avoid falling victim to attacks through the loophole. Google is also known to be working with operators and handset makers to get updates to people faster.